Media

Stay current on Sonatype news.

TPG is leading an $80 million minority-stake investment in software developer Sonatype Inc.The investment round included participation from Accel, Goldman Sachs Group Inc. and Hummer Winblad Venture Partners, according to a press release. Sonatype, of Fulton, Md., runs a repository of open-source components developers can download and integrate into new software. Customers for its components include technology professionals in the government, financial services, technology, health-care and manufacturing sectors, according to the firm’s website.

Fulton, Maryland-based Sonatype, a provider of automated open source governance, has secured $80 million in funding. TPG led the round with participation from Accel, Goldman Sachs Group and Hummer Winblad.

While they may not qualify as the supergiant rounds that we’ve tracked lately, Masterclass and Sonatype each raised significant amounts of capital from investors this week, helping us to understand their respective categories: edtech and software security.

Sonatype, a Maryland-based cybersecurity company, announced Friday that it has raised $80 million from investors. The funding round was led by San Francisco-based private equity fund TPG Growth, with participation from Accel, Goldman Sachs and Hummer Winblad.

Sonatype, a cybersecurity-focused open-source company, has raised $80 million from investment firm TPG.The company said the financing will help extend its Nexus platform, which it touts as an enterprise ready repository manager and library, which among other things tracks code and helps to keep everything in the devops pipeline up-to-date and secure.

The funding is a minority investment led by TPG, a San Francisco private equity firm with $84 billion under management, with additional participation by existing investors Accel, Goldman Sachs Group and Hummer Winblad.

Sonatype helps enterprises identify and remediate vulnerabilities in open source library dependencies and release more secure code. Today, they announced a free tool called DepShield that offers a basic level of protection for GitHub developers.

Sonatype operates on the principles of better, safer, and faster delivery with software supply chain automation. The company acquired the OSS Index last year and has now launched an automated and re-designed Open Source Software Index that provides developers with information on OSS dependencies and vulnerabilities for more informed product development.

The 2018 DevSecOps Community Report is out and for those following the growth of DevOps and it's subsequent drive into the security community, under the moniker of DevSecOps, the results won't be surprising. In fact, I set out to write some hot-takes from the report that would really dig into an existential evaluation of security in a DevOps world, but in the end, the takeaways from the report are far more pedestrian. Don't read that as not meaningful — in fact, I think the survey results are very meaningful and informative for our path forward.

For every company in every industry, competition is as likely to come from an unknown startup as it is from long - established rivals. In the modern economy, if you’re not innovating fast enough, you’ll get run over by someone who is. Just ask broadcast and cable television companies about Netflix. Ask Hilton and Marriott about Airbnb. The fear of death can be a powerful motivator.

On June 14, entrepreneurs of the greater Washington area came together in celebration of their accomplishments for the 2018 EY Entrepreneur of the Year Mid-Atlantic Awards at the Ritz Carlton in Tysons Corner.

On June 14, entrepreneurs of the greater Washington area came together in celebration of their accomplishments for the 2018 EY Entrepreneur of the Year Mid-Atlantic Awards at the Ritz Carlton in Tysons Corner.

DevOps toolchains, often comprised of existing or acquired software tools, are critical for rapid, reliable and efficient application delivery. Having an integrative, holistic approach to tooling fosters team interaction. These tools working together provides a dramatic improvement to the application lifecycle.

DevOps is intended to dramatically increase the pace of application development and support. This is expected to allow more mistakes to get through to production environments, but that’s OK because they can be corrected right away rather than have to wait for the next development cycle to play out.

Microsoft has announced that it will be acquiring GitHub for US$7.5billion in an all-stock transaction, representing the tech giant’s largest purchase since professional networking site LinkedIn in 2016 for US$26.2billion.

The days of workplaces located in a single office are done. Today's workforce is distributed — across multiple small offices, embracing work-at-home-employees, and spread across continents — and IT has always been at the forefront of that change, eagerly embracing new communications technologies that make it possible. But we're only a few years into this shift, and the tools and techniques we've used to manage a workforce and forge them into a team when they don't meet at the water cooler every day are in some ways still in their infancy.

The days of workplaces located in a single office are done. Today's workforce is distributed — across multiple small offices, embracing work-at-home-employees, and spread across continents — and IT has always been at the forefront of that change, eagerly embracing new communications technologies that make it possible. But we're only a few years into this shift, and the tools and techniques we've used to manage a workforce and forge them into a team when they don't meet at the water cooler every day are in some ways still in their infancy.

Identity is big, really big, especially when it is customer-facing. There are a lot of moving parts to build, pieces to hook up, and external functionality to integrate. The whole makes the identity ecosystem which was once a dream of a few but is fast becoming a reality for many.

Kubernetes (K8S) is an open-source container orchestration tool that can automatically scale, distribute, and handle faults on containers. Originally created by Google and donated to the Cloud Native Computing Foundation, Kubernetes is widely used in production environments to handle Docker containers (although it supports other containers tools such as rkt) in a fault-tolerant manner.

SJ Technologies partnered with Sonatype for the DevSecOps Community 2018 Survey. The survey was wildly popular, receiving answers from more than 2,000 respondents representing a wide range of industries, development practices, and responsibilities. One-third of respondents (33%) came from the technology industry, and banking and financial services was the second most represented group (15%). 70% of all respondents were using a container registry. With so many respondents utilizing containers, a deeper dive into container security is in order.

EY has announced the finalists for the Entrepreneur of the Year 2018 Award in the Mid-Atlantic Region. The awards program recognizes entrepreneurs excelling in areas such as innovation, financial performance and personal commitment to their businesses and communities.

The Maryland Tech Council (MTC), Maryland’s largest technology trade association, announced the winners of its 30th Annual Industry Awards during a celebration and ceremony at The Hotel at the University of Maryland attended by more than 550 business leaders from around the state.

The Maryland Tech Council (MTC), Maryland’s largest technology trade association, announced the winners of its 30th Annual Industry Awards during a celebration and ceremony at The Hotel at the University of Maryland attended by more than 550 business leaders from around the state.

In a recent episode of the Continuous Discussions (#c9d9) podcast, a group of industry experts discussed why DevSecOps is officially more than just a buzzword, tips on how to get everyone in the organization to own security and some of their own challenges and experiences baking security into the software delivery pipeline.

In two weeks GDPR will become law. Unfortunately, far too many organisations are ill prepared when it comes to their compliance readiness. The first large scale breach following 25th May will demonstrate just how unprepared the industry is when it comes to their cybersecurity hygiene.

To succeed in today's marketplace, companies need to innovate, driving everyone from tractor manufacturers to airlines to become software development shops. The pace of innovation precludes building everything from scratch, resulting in 80-90% of a modern application consisting of open source components. This translates to global downloads of open source components in the tens of billions.

More than half of the Fortune 100 could be at risk of falling prey to the same kind of hack that caused devastation at Equifax last year, and it all comes down to poor open source component governance.

The flawed software that led to the data breach at Equifax Inc. is still being downloaded and used at thousands of companies, raising concerns that proliferation of unpatched versions could lead to greater exposure to cyberattacks.

Despite the Equifax breach that exposed the personal data of more than 145 million Americans, Fortune is reporting that thousands of companies have the same computer security holes in their networks that places the sensitive data of consumers at risk.

Equifax said on Friday that in response to requests for additional information, it's shared more breach details with several U.S. Congressional committees. Notably, the data broker said that its breach investigators found that consumers had uploaded images of various government-issued identity documents that were exposed in the attack, including 38,000 driver's licenses, 12,000 Social Security or taxpayer ID cards, and 3,200 passports.

When the news emerged that Equifax had succumbed to a colossal data breach from mid-May through July of last year, consumers were livid—in part because the ransacking was entirely preventable. Hackers stole 148 million people’s names, Social Security numbers, birthdates, home addresses, and more sensitive information, as of the major credit bureau’s last count in March, and worse yet, it happened two months after software fixes for the vulnerabilities at fault had been made available.

International Data Corporation (IDC) today published an IDC Innovators report identifying three technology providers that are considered key emerging vendors in the agile code development market. The three companies named as IDC Innovators are CloudBees Inc., GitLab Inc., and Sonatype, Inc.

If there was one key takeaway for developers from RSA 2018, the cybersecurity industry's massive gathering in San Francisco that ended last week, it was that organizations are shifting security "left" in earnest

Sonatype published findings from its 5th annual DevSecOps Community Survey of 2,076 IT professionals. The survey shares practitioner perspectives on evolving DevSecOps practices, shifting investments, and changing perceptions. Survey respondents with mature DevOps practices were 338% more likely to integrate automated security than organizations with no DevOps practice.

As evident by the speaker tracks and hallway discussions here this week at the RSA Conference, the marriage of DevOps and security principles driving the DevSecOps movement is finally gaining traction in the security community.

Cybersecurity has long been said to be a hot industry in the D.C. metro area.In a three-year period from 2011 to 2014, the D.C. metro area saw three cybersecurity acquisitions totaling $4.1 billion. And currently, there are more than 77,500 filled cybersecurity jobs in the D.C. metro area, and another roughly 41,700 job openings in the field, according to records maintained by the Commerce Department’s National Institute of Cybersecurity Education.

IT professionals are recognizing the weaknesses of DevOps and are looking for ways to improve. Security is the main gripe many people have. This has led to increased popularity in DevSecOps. Sonatype recently released a survey where they talked with over two thousand IT professionals about DevOps and where they utilize security.

Sonatype polled 2,076 IT professionals to discover practitioner perspectives on evolving DevSecOps practices, shifting investments, and changing perceptions, and the results of the survey showed that breaches related to open source components grew at a staggering 50% since 2017, and 121% since 2014.

The RSA Conference in San Francisco is a hotbed of news, analysis and reports on the security industry, with research from the Cloud Security Alliance (CSA) and automation software provider Sonatype being of particular interest.

Breaches related to open source components have grown 50 percent since 2017, and an eye-opening 121 percent since 2014, according to a new survey from open source governance and DevSecOps automation specialist Sonatype.

Modern software development is trending more toward a componentized approach because developers would rather assemble something using a variety of well-built pieces of third-party code than reinvent the wheel every time they create something new. The approach has done wonders for speed and agility, but it's increasing a lot of enterprise attack surfaces because too few organizations are keeping up with the vulnerabilities these components pose.

A new survey from Sonatype has revealed that DevOps teams are automating security 338 per cent more often as open source breaches jump by 55 per cent. The firm published the findings from its 5th annual DevSecOps Community Survey of 2,076 IT professionals which shared practitioner perspectives on evolving DevSecOps practices, shifting investments and changing perceptions.

Within a month of launching a scan for known vulnerabilities in JavaScript and Ruby libraries, the GitHub code repository site identified an incredible 4 million security flaws in the half-a-million repositories on its platform.

For many years, technology startup activity in the metropolitan Washington D.C. area has been respectable but very narrowly focused. Most of these startups, including cybersecurity companies, have traditionally targeted the federal government as their primary customer because the government has always been a much easier sell than the broad commercial market.

Sonatype, a provider of development and operations (DevOps) tools designed to help organizations automate their software supply chains, now offers its Nexus Firewall to developers using the open-source version of its Nexus Repository software storage, distribution and organization tool.

No one ever became a programmer so they could mange open-source licenses. But, that's what many developers must do these days. Black Duck Software, the open-source software logistics and legal solutions provider, and North Bridge found in 2015 that 66 percent of companies create open-source software. That's great, but all that code comes with a wide variety of licenses, each with its own set of requirements. What's a developer or company to do?

Looking for a new gig and not willing to take a pay cut? You’re in luck. There are a handful of jobs that boast solid median base pay as well as a strong track record of pay growth. Glassdoor’s Local Pay Reports show that there are now a wide variety of positions that have been seeing big increases in pay from year to year (and even month to month).

Next month, we're proud to participate in two special events focusing on DevSecOps. Ahead of DevSecOps Days and our webinar with John, we wanted to share some tips and emerging trends for DevSecOps that experts shared on another industry panel - the one held at the recent DevOps Enterprise Summit in San Francisco 2017.

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week I’m in blizzard-besieged Boston, Massachusetts, for the epic Spring One Tour Boston event. Unfortunately, due to this crazy snow storm/blizzard, the event’s been postponed one day as we all grapple with the weather. Hope you were able to join the Spring Boot 2.0 launch webinar! If not the replay will be available here and don’t forget to check out the launch blog!

At this point, the concept of DevOps should be familiar to everyone. But with the rise of cybersecurity attacks, organizations have seen the need to incorporate security into the mix. Thus, the idea of DevSecOps.

More and more people are mining cryptocurrency to cash in on the craze. But some are actually hacking into computers to leverage other people's mining power. Sonatype's Senior Vice President Bill Karpovich explains the danger of these miners and how hackers exploited IBM several years ago.

Hot on the heels of the French legislators, the government in the UK is now announcing tougher guidelines device manufacturers in its Security by Design review. Crucial here is the move to build security into smart devices from the very beginning and ensure software is automatically updated.

Amid rising concerns about the security of IoT devices, the government today announced its intent to make manufacturers of IoT devices responsible for the security of their products, while also proposing new rules to ensure that buyers are aware of security features in such devices at the time of purchase.

Free and open source software is far more than just another way to develop code. In fact, the rise of the open source revolution represents a fundamental change in the way we use information to create a better world.

DevOps is a philosophy of IT operations that binds the development of services and their delivery to the core principles of W. Edwards Deming’s points on Quality Management. When applied to software development and IT organizations, Deming’s principles seek to improve the overall quality of software systems as a whole.

The number of buggy open source components downloaded in the UK has soared by over 100% over the past year, according to new research from Sonatype. The DevSecOps automation firm revealed that one in eight open source components downloaded in the country last year contained known security vulnerabilities – a 120% year-on-year increase.

DevOps Radio is a CloudBees-sponsored podcast series. Hosting experts from around the industry, the show dives into what it takes to successfully develop, deliver and deploy software in today’s ever-changing business environment. From DevOps to Docker, each episode features real-world insights and a few stories, tips, industry scoop and more.

The French government has drawn up proposals to hold software manufacturers accountable for security vulnerabilities. The proposed legislation would make manufacturers liable for the security of a product while it is on the market, and with the possibility of requiring its software to be made open-source at end-of-life.

The concept of BizDevOps is about bringing business leaders, developers and operations teams together to more quickly create and deploy software. Recent trends in BizDevOps include the introduction of low-code/no-code development platforms, a process that brings more productivity to the equation and enables business analysts and so-called citizen developers to have a bigger hand in building applications. The concept of BizDevOps is about bringing business leaders, developers and operations teams together to more quickly create and deploy software. Recent trends in BizDevOps include the introduction of low-code/no-code development platforms, a process that brings more productivity to the equation and enables business analysts and so-called citizen developers to have a bigger hand in building applications.

"I was an individual contributor for the first 10 years of my career. I loved writing software, especially network software, wrangling with complex problems in pursuit of the simplest possible solutions. While I was a good (not great) software developer, I suspected I might be a better leader." "I was an individual contributor for the first 10 years of my career. I loved writing software, especially network software, wrangling with complex problems in pursuit of the simplest possible solutions. While I was a good (not great) software developer, I suspected I might be a better leader."

When Intel CEO Brian Krzanich took to the stage at CES in Las Vegas, he could have been forgiven for wanting to be anywhere else in the world. Just days before the worldÕs biggest tech show got underway, it was revealed that almost all PCs, Macs and mobile devices were at risk of being hacked due to a pair of vulnerabilities that existed in a alarming number of Intel, AMD and ARM-produced chips. When Intel CEO Brian Krzanich took to the stage at CES in Las Vegas, he could have been forgiven for wanting to be anywhere else in the world. Just days before the worldÕs biggest tech show got underway, it was revealed that almost all PCs, Macs and mobile devices were at risk of being hacked due to a pair of vulnerabilities that existed in a alarming number of Intel, AMD and ARM-produced chips.

As new local and international data protection laws come into force, organisations running high-velocity software development practices must tighten up their governance and risk-management policies, or run the risk of facing severe legal penalties. As new local and international data protection laws come into force, organisations running high-velocity software development practices must tighten up their governance and risk-management policies, or run the risk of facing severe legal penalties.

The shortlist for theÊ2018 DevOps Excellence AwardsÊis here!Ê Take a look at the list below to see whether you have made this prestigious selection of excellence in DevOps. The shortlist for theÊ2018 DevOps Excellence AwardsÊis here!Ê Take a look at the list below to see whether you have made this prestigious selection of excellence in DevOps.

Hundreds of software applications built using the developer framework called Electron may be vulnerable to a remote code execution flaw, according to developers of the framework. Impacted are dozens of popular Windows applications such as MicrosoftÕs Skype for Windows, Slack and the Signal secure messaging application. Hundreds of software applications built using the developer framework called Electron may be vulnerable to a remote code execution flaw, according to developers of the framework. Impacted are dozens of popular Windows applications such as MicrosoftÕs Skype for Windows, Slack and the Signal secure messaging application.

We are very pleased to announce the winners of the third annual DevOps Dozen Awards. In many ways this year was a watershed year for the DevOps Dozen, as the process of selecting, voting and choosing the winners was much more refined and mature. In each of the 12 (itÊisÊa dozen, after all) categories the winners were absolutely deserving of the award and recognition. We are very pleased to announce the winners of the third annual DevOps Dozen Awards. In many ways this year was a watershed year for the DevOps Dozen, as the process of selecting, voting and choosing the winners was much more refined and mature. In each of the 12 (itÊisÊa dozen, after all) categories the winners were absolutely deserving of the award and recognition.

The worldÕs biggest hack might have happened to anyone. The same software flaw hackers exploited to expose 145 million identities in the Equifax database Ð most likely yours included Ð was also embedded in thousands of other computer systems belonging to all manner of businesses and government agencies. The worldÕs biggest hack might have happened to anyone. The same software flaw hackers exploited to expose 145 million identities in the Equifax database Ð most likely yours included Ð was also embedded in thousands of other computer systems belonging to all manner of businesses and government agencies.

Following the news that aÊfundamental design flaw inÊIntelÕs processor chips, dating back to 1995 would allow an attacker to read protected memory, IT security experts commented below. Following the news that aÊfundamental design flaw inÊIntelÕs processor chips, dating back to 1995 would allow an attacker to read protected memory, IT security experts commented below.

Very often you can hear arguments about viruses and other malware.ÊMuch less often talk about upgrading systems, patches for software, replacing versions.ÊHere, as a rule, the principle of "works - do not touch" is professed.ÊOnly this very malware finds new holes in system and application programs. Very often you can hear arguments about viruses and other malware.ÊMuch less often talk about upgrading systems, patches for software, replacing versions.ÊHere, as a rule, the principle of "works - do not touch" is professed.ÊOnly this very malware finds new holes in system and application programs.

At the end of the second quarter of 2017, of the top ten most valuable public companies seven were tech companies while five were software companies.ÊThese five companies represented close to $3 trillion in market cap. Apple and Amazon, the other two, clearly have their share of software assets. At the end of the second quarter of 2017, of the top ten most valuable public companies seven were tech companies while five were software companies.ÊThese five companies represented close to $3 trillion in market cap. Apple and Amazon, the other two, clearly have their share of software assets.

With GDPR coming into play May 2018, companies doing business in the EU face the prospect of fines and damaged reputations if they cannot prevent vital corporate and customer data from falling into the wrong hands. With GDPR coming into play May 2018, companies doing business in the EU face the prospect of fines and damaged reputations if they cannot prevent vital corporate and customer data from falling into the wrong hands.

Zealot campaign used Eternalblue and Eternalsynergy to mine cryptocurrency on networks.ÊSecurity researchers have found a new hacking campaign that used NSA exploits to install cryptocurrency miners on victim's systems and networks. They said that the campaign was a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits. Zealot campaign used Eternalblue and Eternalsynergy to mine cryptocurrency on networks.ÊSecurity researchers have found a new hacking campaign that used NSA exploits to install cryptocurrency miners on victim's systems and networks. They said that the campaign was a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits.

With 2018 fast approaching, here we are at the end of a tumultuous year in the world of cybersecurity. Attacks have been launched on infrastructure and democracy, mainstream media attention has been snatched and billions of sets of data have been plundered. With 2018 fast approaching, here we are at the end of a tumultuous year in the world of cybersecurity. Attacks have been launched on infrastructure and democracy, mainstream media attention has been snatched and billions of sets of data have been plundered.

Containerisation is one of the most exciting tech trends to emerge over the last few years. Designed to work at operating system level, it's a popular virtualisation method that allows IT professionals to deploy and distribute applications easily.

Derek Weeks, VP and DevOps Advocate at Sonatype, discusses how software development has evolved over the past ten years and the influence of DevOps practices across government agencies.Ê Rather than taking a project and hiring people who can code, today systems are put together with blocks of code that are already written.

The loss of $300 million in cryptocurrency shows the urgent need for businesses and cryptocurrency firms to know what libraries and binaries theyÕre using.ÊWith open source binaries forming the basis of 80 Ð 90% of applications, they play a vital role in driving innovation and powering the world as we know it. However, Parity Õs issues are a stark reminder that all binaries are not created equal.

When you say "DevOps" one of the first words that comes to mind is "collaboration." Even the structure of the word "DevOps" implies that Dev and Ops are coming together, collaborating in a way they had not done before. On DEVOPSdigest's listÊ17 Ways to Define DevOps, in the first definition entitled "A Cultural Revolution," Aruna Ravichandran, VP of DevOps Solution Marketing and Management atÊCA Technologies, said: "DevOps is a cultural revolution that liberates software delivery through cohesive collaboration and advanced automation."

Tuur Demeester, editor in chief at Adamant Research, claimed that of that figure, about £69 million belongs to Parity founder and former Ethereum core developer Gavin Woods' Initial Coin Offering (ICO) Polkadot. ÒFollowing the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July,Ó the advisory stated. Tuur Demeester, editor in chief at Adamant Research, claimed that of that figure, about £69 million belongs to Parity founder and former Ethereum core developer Gavin Woods' Initial Coin Offering (ICO) Polkadot. ÒFollowing the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July,Ó the advisory stated.

When you say "DevOps" one of the first words that comes to mind is "collaboration." Even the structure of the word "DevOps" implies that Dev and Ops are coming together, collaborating in a way they had not done before. On DEVOPSdigest's listÊ17 Ways to Define DevOps, in the first definition entitled "A Cultural Revolution," Aruna Ravichandran, VP of DevOps Solution Marketing and Management atÊCA Technologies, said: "DevOps is a cultural revolution that liberates software delivery through cohesive collaboration and advanced automation."

Sonatype's crown jewel is its database of descriptions of over 1.2 million open source packages. ÒIf that is lost, it could be an existential outcome,Ó said Wayne Jackson, CEO of the Fulton, Maryland-based software supply chain management company. To shut down any such leak quickly, Sonatype monitors the web for any indications that its data has been stolen and is being shared on line. That monitoring includes the dark web.

By 2022, there will be aÊshortfall of anÊestimated 1.8 million security professionals worldwide, with an acute scarcity of the technical professionals needed for secure software development, according to theÊ2017 Global Information Security Workforce Study. For many people interested in breaking into security, theÊshortageÊcould be an opportunity. Some 87%Êof cybersecurity professionalsÊstarted in a different career, with 30% coming from outside ofÊIT, according to the biennial study.

Every month we recap the biggest tech hires and departures in the D.C. area over the past month. To get hiring and other local innovation news daily, sign up forÊThe Beat. HereÕs our list of the top hires in D.C. innovation for October Every month we recap the biggest tech hires and departures in the D.C. area over the past month. To get hiring and other local innovation news daily, sign up forÊThe Beat. HereÕs our list of the top hires in D.C. innovation for October

Much has been written to guide software developers on how to developÊsecure software. Despite this general awareness, we continue to see vulnerable software produced. One of the observations in theÊHPE Cyber Risk Report 2016Êis that attackers have shifted their focus from servers and operating systems directly to applications. Much has been written to guide software developers on how to developÊsecure software. Despite this general awareness, we continue to see vulnerable software produced. One of the observations in theÊHPE Cyber Risk Report 2016Êis that attackers have shifted their focus from servers and operating systems directly to applications.

Security can be a hard sell. ItÕs difficult to convince development teams to spend their limited cycles patching security holes with line-of-business managers pressuring them to release applications as quickly as possible. But given thatÊ84 percentÊof allÊcyberattackshappen on the application layer, organizations canÕt afford for their dev teams not to include security. Security can be a hard sell. ItÕs difficult to convince development teams to spend their limited cycles patching security holes with line-of-business managers pressuring them to release applications as quickly as possible. But given thatÊ84 percentÊof allÊcyberattackshappen on the application layer, organizations canÕt afford for their dev teams not to include security.

Bill Karpovich will lead portfolio evolution, strategic partnering, acquisitions, and new growth initiatives worldwide for Sonatype, the leader in software supply chain automation. Reporting to CEO Wayne Jackson, Bill will help the company expand its portfolio and scale operations globally.

If you’ve got DevOps chops, you already know you’re in demand. And if you’re an IT leader hiring for a DevOps shop, you know the challenges in finding good people. Like DevOps itself, the DevOps job market continues to evolve. And let’s be honest: This isn’t an area of consensus in IT, as the ongoing debate about titles such as “DevOps Engineer” attests.

Today's software development teams haveÊincreasingly embraced the use of open source and third-party components in building their projects instead of actually starting from scratch. But while open source usage has added significant value to software development, enabling speed and innovation in teams, it has also introduced a host of security vulnerabilities.

Sonatype, Inc. operates as an holding company, which provides enterprise software solutions. Its products include Nexus Repository Managers and Nexus Firewall, Lifecycle, and Auditor. The company was founded by Sarel Jason van Zyl and Brian Fox in 2008 and is headquartered in Fulton, MD. Sonatype, Inc. operates as an holding company, which provides enterprise software solutions. Its products include Nexus Repository Managers and Nexus Firewall, Lifecycle, and Auditor. The company was founded by Sarel Jason van Zyl and Brian Fox in 2008 and is headquartered in Fulton, MD. Sonatype, Inc. operates as an holding company, which provides enterprise software solutions. Its products include Nexus Repository Managers and Nexus Firewall, Lifecycle, and Auditor. The company was founded by Sarel Jason van Zyl and Brian Fox in 2008 and is headquartered in Fulton, MD.

The term “DevOps” is typically credited to this 2008 presentation on agile infrastructure and operations. Now ubiquitous in IT vocabulary, the mashup word is less than 10 years old: We’re still figuring out this modern way of working in IT. Sure, people who have been “doing DevOps” for years have accrued plenty of wisdom along the way. But most DevOps environments – and the mix of people and culture, process and methodology, and tools and technology – are far from mature.

Microsoft wants to own Quantum Coding.ÊQuantum computing is still in itsÊnascent stage. But Microsoft Ð probably still wary of missing a trick like it did with mobile Ð has already staked its claim on the space. The Redmond Company announced this week that it isÊdeveloping a languageÊfor programming quantum bits. The as-yet-unnamed language should be available forÊpreviewÊby the end of the year.

It’s a truism of the Digital Age that anything can be hacked. It’s also a truism that things aren’t always what they seem. Those notions hold true for CCleaner, which, with 115 million monthly active users, is the most popular Windows system-cleaning and -optimizing software in the world. New findings about an attack on older versions of CCleaner, first disclosed last week, indicate that hackers targeted the popular third-party consumer utility in order to infiltrate corporate computer systems.

The story of recent breaches at the credit-rating agency Equifax, which may have involved the personal details of nearly 150 million people, has probably just begun, given the confusion that still surrounds events. But itÕs brought the security of open source software to the fore yet again, and highlighted the ongoing struggle organizations still have with cybersecurity. The story of recent breaches at the credit-rating agency Equifax, which may have involved the personal details of nearly 150 million people, has probably just begun, given the confusion that still surrounds events. But itÕs brought the security of open source software to the fore yet again, and highlighted the ongoing struggle organizations still have with cybersecurity.

More than 50,000 organizations are using outdated and leaky versions of Apache, the software whose Struts app gave hackers aÊback door into EquifaxÑeven though free fixes have been available for nine months, according to Sonatype, aÊfirm that monitors downloads of open-source software. Corporate America has been slow to update its open-source software, even after the Equifax hack that exposed 143 million peopleÕs sensitive data. ÒWhen you take on use of an open-source project, youÕre outsourcing software development to strangers,Ó says SonatypeÊCEOÊWayne Jackson. More than 50,000 organizations are using outdated and leaky versions of Apache, the software whose Struts app gave hackers aÊback door into EquifaxÑeven though free fixes have been available for nine months, according to Sonatype, aÊfirm that monitors downloads of open-source software. Corporate America has been slow to update its open-source software, even after the Equifax hack that exposed 143 million peopleÕs sensitive data. ÒWhen you take on use of an open-source project, youÕre outsourcing software development to strangers,Ó says SonatypeÊCEOÊWayne Jackson.

Under-fire credit reporting agency Equifax has confirmed that its CSO and CIO are retiring following a massive data breach at the company affecting 143 million U.S. and 400,000 British customers. A few days later, Equifax brought in security consulting firm Mandiant, now a unit of FireEye and associated with many high-profile forensics investigations including the Yahoo breach previous year, when data on more than 1 billion accounts were exposed. Under-fire credit reporting agency Equifax has confirmed that its CSO and CIO are retiring following a massive data breach at the company affecting 143 million U.S. and 400,000 British customers. A few days later, Equifax brought in security consulting firm Mandiant, now a unit of FireEye and associated with many high-profile forensics investigations including the Yahoo breach previous year, when data on more than 1 billion accounts were exposed.

The two most senior security roles have since been filled by the credit rating firm, with the world still stunned by the scale of the breach that also affected around 400,000 people in the UK.ÊThe way EquifaxÊexecutives and its IT security team appears to have failed to adequately apply patches, the amount of time it took toÊdiscoverÊthe depth of the breach and the delay in ultimately reporting it certainly paints a picture of a colossal failure atÊallÊlevels, including the curiouslyÊtimed stock sales by top executives (who deny knowledge of the breach at the time of the sale) just days before the disclosure,ÊreportedÊbyÊBloomberg.

The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late July, when the attack was finally detected. The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late July, when the attack was finally detected.

If youÕre not reading this on another planet or in a bunker somewhere, then youÕre likely aware of the recent breach of data from credit agency Equifax.ÊReports indicate that unknown attackers took advantage of a vulnerability in an Equifax web application to purloin personal identifiable information from 143 million people, including Social Security numbers. If youÕre not reading this on another planet or in a bunker somewhere, then youÕre likely aware of the recent breach of data from credit agency Equifax.ÊReports indicate that unknown attackers took advantage of a vulnerability in an Equifax web application to purloin personal identifiable information from 143 million people, including Social Security numbers.

With containerization, microservices, and a new software framework popping up seemingly every few months, software is moving fastÑso fast that adding security to the agile development processes is difficult because the technologies are changing so quickly. With containerization, microservices, and a new software framework popping up seemingly every few months, software is moving fastÑso fast that adding security to the agile development processes is difficult because the technologies are changing so quickly.

More than 3,000 organizations could be at risk of suffering an attack against the same vulnerability that allowed hackers to gain access to the records of more than 143 million Americans from credit reporting firm Equifax. The troublesome figure comes from supply chain automation firmÊSonatype, which found a total of 3,054 organizations still using a vulnerable version of Apache Struts, a popular web application framework.

The number of organizations that have downloaded vulnerable versions of the Struts2 component (CVE-2017-5638) totals 3,054, according to Sonatype. Analyzing data from the Maven Central repository, the largest distribution point for Java open-source components, Sonatype found a startling lack of hygieneÊrelated to enterprise consumption of vulnerable Struts2 components, which were exploited in the massive breach at Equifax.

Equifax has been making headlines the last few weeks for a large security breach involving consumers in the U.S., U.K., and Canada. Attackers gathered the personal information of up to 143 million U.S. consumers, including credit card numbers for about 209,000 people. Other information accessed during the breach includes names, Social Security numbers, birth dates, addresses, and driverÕs license numbers, all of which are valuable to identity thieves. Equifax has been making headlines the last few weeks for a large security breach involving consumers in the U.S., U.K., and Canada. Attackers gathered the personal information of up to 143 million U.S. consumers, including credit card numbers for about 209,000 people. Other information accessed during the breach includes names, Social Security numbers, birth dates, addresses, and driverÕs license numbers, all of which are valuable to identity thieves.

Developers oftenÊfail to effectively manage theÊsecurity of the open-source components they use. Unfortunately, most software incorporates at least one vulnerable component, and that means that, unless developersÊkeepÊon top of their repository, they are linking vulnerabilities into their code. Developers oftenÊfail to effectively manage theÊsecurity of the open-source components they use. Unfortunately, most software incorporates at least one vulnerable component, and that means that, unless developersÊkeepÊon top of their repository, they are linking vulnerabilities into their code.

U.S. consumer credit reporting agency Equifax Inc. will soon be heading to court with multiple lawsuits being filed against the company following its disclosure of a massiveÊhack last week. The lawsuits, which stand at least two dozenÊaccording toÊReuters, come in a number of different flavors, including one suit that alleges that Equifax was guilty of equities fraud, while a number of other suits are specifically targeting EquifaxÕs response to the hack such as its offer of one year of free credit monitoring.

As cybersleuths work to uncover the exact vulnerability hackers exploited to pull off the data theft, one thing companies not wanting to be the next Equifax can do is review the types of open-source software used in applications they deployÑand then look for ways to more effectively mitigate those threats. As cybersleuths work to uncover the exact vulnerability hackers exploited to pull off the data theft, one thing companies not wanting to be the next Equifax can do is review the types of open-source software used in applications they deployÑand then look for ways to more effectively mitigate those threats.

In the wake of the hacking last week of U.S. consumer credit reporting agency Equifax Inc., security experts bemoaning are calling for big changes, including big penalties for the data brokers that hold so much information critical to everyone’s financial life.

Letitia Long, the former director of the U.S. National Geospatial-Intelligence Agency (NGA), has joined Sonatype's Board of Directors. Letitia Long, the former director of the U.S. National Geospatial-Intelligence Agency (NGA), has joined Sonatype's Board of Directors.

Steve Hills, the former president and general manager of The Washington Post, has joined Sonatype's Board of Directors. Steve Hills, the former president and general manager of The Washington Post, has joined Sonatype's Board of Directors.

Letitia Long, former director of theÊNational Geospatial-Intelligence Agency, has been named an independent director ofÊSonatypeÔs board of directors. Sonatype said Tuesday Long will work with board representatives from the companyÕs lead investors that includeÊGoldman Sachs,ÊAccel Partners,ÊNew Enterprise AssociatesÊandÊHummer Winblad Venture Partners.

Letitia Long, the former director of theÊU.S. National Geospatial-Intelligence AgencyÊandÊSteve Hills,Êthe former president and general manager ofÊThe Washington Post,ÊhaveÊjoined the board of directors of software supply chain automation company Sonatype as independent directors. Letitia Long, the former director of theÊU.S. National Geospatial-Intelligence AgencyÊandÊSteve Hills,Êthe former president and general manager ofÊThe Washington Post,ÊhaveÊjoined the board of directors of software supply chain automation company Sonatype as independent directors.

Software supply chain automation leader, Sonatype, has announced support of its new return on investment metrics and application quality within its Nexus Lifecycle solution. The new feature, Success Metrics, enables DevOps teams to measure and quickly assess the ability of its automated open source govonernance programmes.

Most application developers today donÕt write much raw code. Rather, applications developed today are created mostly by combing various modules and widgets to create a custom application. But currently there is little oversight being applied to the provenance of application components, especially when it comes to open-source software. Most application developers today donÕt write much raw code. Rather, applications developed today are created mostly by combing various modules and widgets to create a custom application. But currently there is little oversight being applied to the provenance of application components, especially when it comes to open-source software.

Imagine if you could improve the quality of your applications and cut development cost at the same time?It is possible, if you can manage the quality of the open source components used by their developers. This is according to the third annualÊState of theÊSoftwareÊSupply Chain Reportpublished by US-based software supply chain automation specialist, Sonatype.

In July,ÊSonatypeÊreleased their third annualÊState of the Software Supply ChainÊreport concluding that when organisations actively manage the quality of open source components in software applications they see a 28% improvement in developer productivity (through reduction in manual governance), a 30% reduction in overall development costs, and a 48% increase in application quality (as application vulnerabilities are removed early reducing their incidence in production). In July,ÊSonatypeÊreleased their third annualÊState of the Software Supply ChainÊreport concluding that when organisations actively manage the quality of open source components in software applications they see a 28% improvement in developer productivity (through reduction in manual governance), a 30% reduction in overall development costs, and a 48% increase in application quality (as application vulnerabilities are removed early reducing their incidence in production).

The move to open source development tools -- already unstoppable -- continues to gain momentum. Years ago, open source was looked upon as a way to save money. Today, a key driver is the clear fact that, with tens of thousands of contributors sharing their expertise and the ever-widening availability of high-quality code, resistance is futile. The move to open source development tools -- already unstoppable -- continues to gain momentum. Years ago, open source was looked upon as a way to save money. Today, a key driver is the clear fact that, with tens of thousands of contributors sharing their expertise and the ever-widening availability of high-quality code, resistance is futile.

As we gear up to release our next e-book on the Kubernetes open source container orchestration engine (check with us in about a month), we have been reviewing how well K8s has been making its way into the enterprise Ñ the true determinant of whether the software becomes an essential component of Òthe new stack,Ó so to speak. As we gear up to release our next e-book on the Kubernetes open source container orchestration engine (check with us in about a month), we have been reviewing how well K8s has been making its way into the enterprise Ñ the true determinant of whether the software becomes an essential component of Òthe new stack,Ó so to speak.

Supply chain automation company Sonatype produces what it calls itsÊSoftware Supply Chain Report every year (now in its third) in an attempt toÊhighlights alleged ÔrisksÕ lurking within open source software components.

Tens of millions of products ranging from airport surveillance cameras, sensors, networking equipment and IoT devices are vulnerable to a flaw that allows attackers to remotely gain control over devices or crash them. Tens of millions of products ranging from airport surveillance cameras, sensors, networking equipment and IoT devices are vulnerable to a flaw that allows attackers to remotely gain control over devices or crash them.

Sonatype has announced the release of its third reportÊState of the Software Supply Chain; highlighting risks within open source software components and the benefits of actively managing software supply chain hygiene.

Sonatype, the leader in software supply chain automation, today announced the release of its third annual State of the Software Supply Chain Report. This yearÕs report highlights risks lurking within open source software components and quantifies the empirical benefits of actively managing software supply chain hygiene.

Heightened awareness about the security risks associated with open source software has increased use of disciplined DevOps practices that have improved application quality and developer productivity, a software supply chain survey finds.

As enterprises develop more custom applications -- many of themÊmobile apps as part of a mobile-first strategyÊ--Êin-house developers are increasingly at risk of unwittingly using open-source code rife with vulnerabilities. As enterprises develop more custom applications -- many of themÊmobile apps as part of a mobile-first strategyÊ--Êin-house developers are increasingly at risk of unwittingly using open-source code rife with vulnerabilities.

The use of open source components can help speed up the software development process, but it comes with a risk if poor quality code leads to vulnerable applications being released. The latest State of the Software Supply Chain Report from DevOps tools specialistÊSonatypeÊreveals that organizations whichÊactively manage the quality of open source components flowing into production applications realize a 28 percent improvement in developer productivity, a 30 percent reduction in overall development costs, and a 48 percent increase in application quality.

Sonatype released its third annual State of the Software Supply Chain report, which highlights risks within open source software components. The report also highlights the benefits of managing software supply chain hygiene.ÊÒCompanies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts.

Thousands of developers who publish JavaScript packages in the npm repository have had their passwords reset since May because their login credentials were too weak or had been publicly exposed. The affected accounts were in control of tens of thousands of Node.js modules that, in turn, were direct or indirect dependencies for half of the entire npm ecosystem. Thousands of developers who publish JavaScript packages in the npm repository have had their passwords reset since May because their login credentials were too weak or had been publicly exposed. The affected accounts were in control of tens of thousands of Node.js modules that, in turn, were direct or indirect dependencies for half of the entire npm ecosystem.

In the past, IT security in the application building process has often been addressed as an after-thought, usually brought up at the last minute, just after the desired application and code were created.ÊSince 2014, however, that frequent pattern has been changing as more security emphasis is apparently being brought into application development earlier in its creation, according to a recentÊDevSecOpsÊstudy on enterprise security practices, released byÊSonatype.

In June, Sonatype announced the acquisition of Vor Security to extend their open-source component intelligence solutions’ coverage to include Ruby, PHP, CocoaPods, Swift, Golang, C, and C++. Sonatype, well known as the creators of artifact repositories Apache Maven and Nexus, have extended their previously Java, JavaScript, .Net and Python centric component intelligence capabilities to include the new open-source ecosystems. The new capabilities are packaged in a new product, Nexus Lifecycle XC and, like the existing Nexus Lifecycle product, are delivered via the Nexus IQ server.

Fulton-basedÊSonatypeÊis bringing on some deeper knowledge about potential security vulnerabiltiesÊwith an acquisition. The company that makes tools to automate software processesÊand potential holes in open source code acquiredÊVor Security, which is based in Ottowa, Canada.

The Eclipse Foundation has announced Eclipse Oxygen is now available. The Oxygen release includes 83 projects, 287 committers, and about 71 million lines of code. ÒWeÕre proud to announce the arrival of Eclipse Oxygen, the 12th annual simultaneous release from the Eclipse Community,Ó The Eclipse Foundation has announced Eclipse Oxygen is now available. The Oxygen release includes 83 projects, 287 committers, and about 71 million lines of code. ÒWeÕre proud to announce the arrival of Eclipse Oxygen, the 12th annual simultaneous release from the Eclipse Community,Ó

A Maryland-headquartered provider of tools to automate software supply chains has acquired a Canadian firm and launched a new data service. Fulton-based Sonatype Inc. has acquired Vor Security of Ottawa, Ontario. Ken Duck, the founder and CEO of Vor, will work on data thatÊunderpins Sonatype'sÊtools. A Maryland-headquartered provider of tools to automate software supply chains has acquired a Canadian firm and launched a new data service. Fulton-based Sonatype Inc. has acquired Vor Security of Ottawa, Ontario. Ken Duck, the founder and CEO of Vor, will work on data thatÊunderpins Sonatype'sÊtools.

Why Agile? DEVOPSdigest asked the experts for their opinions on what are the most important advantages of being Agile. Part 2 is all about speed. Why Agile? DEVOPSdigest asked the experts for their opinions on what are the most important advantages of being Agile. Part 2 is all about speed.

Sonatype, the leader in software supply chain automation, today announced that it has released a new version of Nexus Lifecycle that includes an extension to Microsoft Visual Studio, a popular integrated development environment (IDE). Sonatype, the leader in software supply chain automation, today announced that it has released a new version of Nexus Lifecycle that includes an extension to Microsoft Visual Studio, a popular integrated development environment (IDE).

Many development teams view security as an impediment to agility and innovation, butÊefforts over the past few years have tried to integrate security controls and testing directly into DevOps workflows without sacrificing development speed and deployment flexibility.

Sonatype released the next generation of its free Repository Health Check (RHC) feature within its flagship Nexus Repository product. All 120,000 organizations using Nexus will benefit immediately from the ability to automatically analyze the quality and security of open source software components housed within their Nexus Repository as part of their DevOps pipeline.

With two international cyber-crime conferences in Belfast in the same week, we're asking whether your company can stay ahead of the hackers. Wendy Austin is joined by Shannon Lietz, DevSecOps lead at Intuit; Mark Miller, senior storyteller at Sonatype; and David Crozier of Queen's University spinout CSIT.

Sonatype has containerized and certified its Nexus Repository to run on Red Hat OpenShift Container Platform. Sonatype has containerized and certified its Nexus Repository to run on Red Hat OpenShift Container Platform.

Sonatype released the next generation of its free Repository Health Check (RHC) feature within its flagship Nexus Repository product. ÊAs of today, all 120,000 organizations using Nexus will benefit immediately from the ability toÊautomatically analyze the quality and security of open source software components housed within their Nexus Repository as part of their DevOps pipeline. Sonatype released the next generation of its free Repository Health Check (RHC) feature within its flagship Nexus Repository product. ÊAs of today, all 120,000 organizations using Nexus will benefit immediately from the ability toÊautomatically analyze the quality and security of open source software components housed within their Nexus Repository as part of their DevOps pipeline.

Nexus Repository is the first to offer DC/OS users a free, private registry for Docker containers in addition to enterprise-scale artifact management for the most popular development languages. Nexus Repository offers a great way to organize, store, and distribute software components critical to DevOps and CI/CD toolchains. Nexus Repository is the first to offer DC/OS users a free, private registry for Docker containers in addition to enterprise-scale artifact management for the most popular development languages. Nexus Repository offers a great way to organize, store, and distribute software components critical to DevOps and CI/CD toolchains.

Sonatype, the leader in software supply chain automation, today announced the telecommunications results of its 2017 DevSecOps Community Survey. 160 telecommunications IT professionals participated in the online survey conducted in February 2017, out of a total of 2,292 overall survey respondents. The survey revealed that mature development organizations ensure automated security is woven into their DevOps practice early, everywhere, and at scale. Analysis of responses also found that 20% of telecom organizations continue to struggle with breaches, consistent with overall survey respondents. Sonatype, the leader in software supply chain automation, today announced the telecommunications results of its 2017 DevSecOps Community Survey. 160 telecommunications IT professionals participated in the online survey conducted in February 2017, out of a total of 2,292 overall survey respondents. The survey revealed that mature development organizations ensure automated security is woven into their DevOps practice early, everywhere, and at scale. Analysis of responses also found that 20% of telecom organizations continue to struggle with breaches, consistent with overall survey respondents.

Sonatype released the next generation of its free Repository Health Check (RHC) feature within its flagship Nexus Repository product. ÊAs of today, all 120,000 organizations using Nexus will benefit immediately from the ability toÊautomatically analyze the quality and security of open source software components housed within their Nexus Repository as part of their DevOps pipeline.

Today's development practices continue to evolve toward the fast iterations of smaller builds. Developers are using approaches like microservices to chunk out monolithic applications into a sum of more rational and reusable mix-and-match elements.

Sonatype, the leader in software supply chain automation, today announced that Nexus Repository is first to market with free support for Git Large File Size (LFS) artifacts. With the addition of Git LFS, Nexus Repository now supports eight of the most popular software component types, including Docker, Java, npm, NuGet, PyPI, Bower, and RubyGems. Sonatype, the leader in software supply chain automation, today announced that Nexus Repository is first to market with free support for Git Large File Size (LFS) artifacts. With the addition of Git LFS, Nexus Repository now supports eight of the most popular software component types, including Docker, Java, npm, NuGet, PyPI, Bower, and RubyGems.

2017Õs DockerCon was held in Austin, Texas this past week. DockerCon is the annual conference centered on the container industry and community. Below is a round up of all the pressing news that was dropped at the event. We will be featuring news from StorageOS, TwistLock, Mesosphere, and Mirantas. 2017Õs DockerCon was held in Austin, Texas this past week. DockerCon is the annual conference centered on the container industry and community. Below is a round up of all the pressing news that was dropped at the event. We will be featuring news from StorageOS, TwistLock, Mesosphere, and Mirantas.

IT organizations continue to struggle with breaches, which have risen sharply over the past three years. Yet during the same period, the use of secure components has remained flat, suggesting that more organizations must improve their applications' security posture. IT organizations continue to struggle with breaches, which have risen sharply over the past three years. Yet during the same period, the use of secure components has remained flat, suggesting that more organizations must improve their applications' security posture.

DevOps is not simply transforming how developers and operations work together to deliver better software faster, it is also changing how developers view application security. A recent survey from software automation and security company Sonatype found that DevOps teams are increasingly adopting security automation to create better and safer software. DevOps is not simply transforming how developers and operations work together to deliver better software faster, it is also changing how developers view application security. A recent survey from software automation and security company Sonatype found that DevOps teams are increasingly adopting security automation to create better and safer software. Read

Sonatype, the leader in software supply chain automation, has announced the results of its 2017 DevSecOps Community Survey which was conducted in February. ÊThere were 2,292 IT professionals that participated in the online survey whichÊrevealed that mature development organisations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Analysis of responses also found that IT organisations continue to struggle with breaches as nearly a 50% increase was recorded between SonatypeÕs 2014 and 2017 survey. Sonatype, the leader in software supply chain automation, has announced the results of its 2017 DevSecOps Community Survey which was conducted in February. ÊThere were 2,292 IT professionals that participated in the online survey whichÊrevealed that mature development organisations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Analysis of responses also found that IT organisations continue to struggle with breaches as nearly a 50% increase was recorded between SonatypeÕs 2014 and 2017 survey. Read

Sonatype has announced the results of its 2017 DevSecOps Community Survey which revealed that mature development organisations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Sonatype has announced the results of its 2017 DevSecOps Community Survey which revealed that mature development organisations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Read

Mature development organizations make sure automated security is built into their DevOps practice early, everywhere and at scale, according to a new report by Sonatype. Mature development organizations make sure automated security is built into their DevOps practice early, everywhere and at scale, according to a new report by Sonatype. Read

Sonatype has published the results of its 2017 DevSecOps Community Survey.Ê 2,292 IT professionals participated in the online survey conducted in February 2017. The survey revealed that mature development organizations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Analysis of responses also found that IT organizations continue to struggle with breaches as nearly a 50% increase was recorded between SonatypeÕs 2014 and 2017 survey. Sonatype has published the results of its 2017 DevSecOps Community Survey.Ê 2,292 IT professionals participated in the online survey conducted in February 2017. The survey revealed that mature development organizations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Analysis of responses also found that IT organizations continue to struggle with breaches as nearly a 50% increase was recorded between SonatypeÕs 2014 and 2017 survey. Read

Sonatype Inc., Vtesse Inc., NextCure and GrayBug LLC were the four companies that received the most venture capital funding in 2016. Sonatype Inc., Vtesse Inc., NextCure and GrayBug LLC were the four companies that received the most venture capital funding in 2016. Read

Thanks to Derek Weeks, V.P. and DevOps Advocate for Sonatype for sharing their secondÊannual report on managing open source components to accelerate innovation. Following are the key findings of their research... Thanks to Derek Weeks, V.P. and DevOps Advocate for Sonatype for sharing their secondÊannual report on managing open source components to accelerate innovation. Following are the key findings of their research... Read

Software supply chain automation company Sonatype is hanging out the flags to celebrate the fact that it has experienced a 300 percent growth in the use of itsÊNexus Repository over the past three years. Software supply chain automation company Sonatype is hanging out the flags to celebrate the fact that it has experienced a 300 percent growth in the use of itsÊNexus Repository over the past three years. Read

Javascript is everywhere, and it's awesome! But the world most popular language can be riddled with problems if you aren't a careful programmer. Javascript is everywhere, and it's awesome! But the world most popular language can be riddled with problems if you aren't a careful programmer. Read

As usage of containers continues to proliferate across the enterprise there will be some natural shifting of management responsibility between developers and IT operations teams in many organizations. In fact, most developers will have a bare-minimum involvement in anything to do with IT governance. As usage of containers continues to proliferate across the enterprise there will be some natural shifting of management responsibility between developers and IT operations teams in many organizations. In fact, most developers will have a bare-minimum involvement in anything to do with IT governance. Read

The amount of insecure software tied to reused third-party libraries and lingeringÊin applications long after patches have been deployed is staggering. ItÕs a habitual problem perpetuated byÊdevelopers failing to vet third-party code for vulnerabilities, and some repositoriesÊtaking a hands-off approach with the code they host. The amount of insecure software tied to reused third-party libraries and lingeringÊin applications long after patches have been deployed is staggering. ItÕs a habitual problem perpetuated byÊdevelopers failing to vet third-party code for vulnerabilities, and some repositoriesÊtaking a hands-off approach with the code they host. Read

Sonatype, a company offering a kind of quality control for software components, has extended its reach into the container world. Sonatype, a company offering a kind of quality control for software components, has extended its reach into the container world. Read

TodayÕs interview is with Matt Howard, executive vice president for Market Development at Sonatype.Ê ÊHis company helps federal software developers put together code quicker, cheaper, and in a more secure manner. TodayÕs interview is with Matt Howard, executive vice president for Market Development at Sonatype.Ê ÊHis company helps federal software developers put together code quicker, cheaper, and in a more secure manner. Read

ItÕs one thing logging onto a 15 hour online event covering the world of DevOps. ItÕs quite another watching it live in the comfortable offices of one of the main sponsors with complimentary food and drinks from morning until evening. Plus happy hour. ItÕs one thing logging onto a 15 hour online event covering the world of DevOps. ItÕs quite another watching it live in the comfortable offices of one of the main sponsors with complimentary food and drinks from morning until evening. Plus happy hour. Read

Application developers are increasingly reliant on open source component parts because pre-fabricated components speed up innovation and save developers the time (and money) of having to write code from scratch. Application developers are increasingly reliant on open source component parts because pre-fabricated components speed up innovation and save developers the time (and money) of having to write code from scratch. Read

Sonatype has mapped out the JavaScript genome to help organizations with high-velocity, automated development practices. Sonatype has mapped out the JavaScript genome to help organizations with high-velocity, automated development practices. Read

CloudBees, Sonatype, GitHub, CA Technologies and 10 other IT solutions and service providers have announced that they are forming an alliance with the goal of making it easier for enterprises to adopt the software stack needed to implement DevOps in their organizations. CloudBees, Sonatype, GitHub, CA Technologies and 10 other IT solutions and service providers have announced that they are forming an alliance with the goal of making it easier for enterprises to adopt the software stack needed to implement DevOps in their organizations. Read

Fourteen DevOps technology leaders announced a new initiative to streamline DevOps adoption at this weekÕs Jenkins World. The new DevOps Express aims to help answer key questions such as where to start, what a typical DevOps stack looks like, how to learn from others, how to minimize risk, and how to ensure technologies will work together. Fourteen DevOps technology leaders announced a new initiative to streamline DevOps adoption at this weekÕs Jenkins World. The new DevOps Express aims to help answer key questions such as where to start, what a typical DevOps stack looks like, how to learn from others, how to minimize risk, and how to ensure technologies will work together. Read

The software world is being flooded with open source product. In fact, the federal government has an open-source-first policy. But maybe it's time to stop and think about sources of open source. Where does all that code originate? The software supply chain. That's something Derek Weeks, vice president and DevOps advocate at Sonatype, looks at carefully. He joins Federal Drive with Tom Temin. Read

What: The 2016 State of the Software Supply Chain report from Sonatype detailing the use of open source components in software.ÊWhy: Because 80 to 90 percent of todayÕs software applications are made of component parts, and increasingly, open source components, Êdefect rates and security and quality issues abound within the software supply chain. Adopting supply chain automation principles, however, could reduce vulnerabilities. Read

Sonatype has just released its second annual report on managing open source components. The "2016 State of the Software Supply Chain" report is available now, and well worth reading. Sonatype has just released its second annual report on managing open source components. The "2016 State of the Software Supply Chain" report is available now, and well worth reading. Read

Open-source software is being used more than ever, yet practices for sourcing the software are inefficient and vulnerabilities are pervasive, according to a report from supply-chain automation provider Sonatype. Open-source software is being used more than ever, yet practices for sourcing the software are inefficient and vulnerabilities are pervasive, according to a report from supply-chain automation provider Sonatype. Read

Application security suffers from the indiscriminate use of open source software components, finds Sonatype research. Application security suffers from the indiscriminate use of open source software components, finds Sonatype research. Read

The software supply chain is booming and enterprises are frequently turning to open source and third party software components to decrease the amount of code they have to write, which helps accelerate deployment cycles, according to SonatypeÕs 2016 State of the Software Supply ChainÊreport released Monday. The software supply chain is booming and enterprises are frequently turning to open source and third party software components to decrease the amount of code they have to write, which helps accelerate deployment cycles, according to SonatypeÕs 2016 State of the Software Supply ChainÊreport released Monday. Read

The use of third-party code in enterprise software projects is growing fast, but the used code often has known flaws. The use of third-party code in enterprise software projects is growing fast, but the used code often has known flaws. Read

Sonatype, the leader in software supply chain automation, today released the latest version of Nexus Repository, adding free support for seven of the most popular software component types. Additionally, Sonatype announced that Nexus Repository has now surpassed 100,000 active installations, including a majority of the Fortune 100, and continues to experience massive growth in usage. Sonatype, the leader in software supply chain automation, today released the latest version of Nexus Repository, adding free support for seven of the most popular software component types. Additionally, Sonatype announced that Nexus Repository has now surpassed 100,000 active installations, including a majority of the Fortune 100, and continues to experience massive growth in usage. Read More

Sonatype, a company that helps customers create automated, policy-driven software component security, announced a $30 million round today led by Goldman Sachs. Sonatype, a company that helps customers create automated, policy-driven software component security, announced a $30 million round today led by Goldman Sachs. Read More

Don Duet, who co-leads the tech division at Goldman, cited the growing importance of open source code at his company as justification for the deal. ÒToday, open source components underpin a vast majority of our most mission-critical applications at the firm,Ó he said in a statement. Don Duet, who co-leads the tech division at Goldman, cited the growing importance of open source code at his company as justification for the deal. ÒToday, open source components underpin a vast majority of our most mission-critical applications at the firm,Ó he said in a statement. Read More

Jackson said helping Goldman with its own software infrastructure led to the financing announced Thursday. If the institution hadnÕt been a customer, he says, Òthey probably never would have found us.Ó Jackson said helping Goldman with its own software infrastructure led to the financing announced Thursday. If the institution hadnÕt been a customer, he says, Òthey probably never would have found us.Ó Read More

Goldman Sachs has led a $30 million investment in software developer Sonatype to help protect the quality of its open source software. Goldman Sachs has led a $30 million investment in software developer Sonatype to help protect the quality of its open source software. Read More

Given this new proliferation of open source software components, we are starting to see automation controls come forward to help control these essentially dynamic and constantly developing code bases. Given this new proliferation of open source software components, we are starting to see automation controls come forward to help control these essentially dynamic and constantly developing code bases. Read More

Josh Corman featured in a series that covers DevOps and SecOps, and securing the Internet of Things. Josh Corman featured in a series that covers DevOps and SecOps, and securing the Internet of Things. Read More

A popular Java library has a serious vulnerability, discovered over nine months ago, that continues to put thousands of Java applications and servers at risk of remote code execution attacks. A popular Java library has a serious vulnerability, discovered over nine months ago, that continues to put thousands of Java applications and servers at risk of remote code execution attacks. Read More

Twistlock have also partnered with Sonatype in order to help developers keep vulnerabilities out of the Ôleft hand sideÕ of the image creation process. Twistlock have also partnered with Sonatype in order to help developers keep vulnerabilities out of the Ôleft hand sideÕ of the image creation process. Read More

Sonatype CTO, Josh Corman, is interviewed on Fox Business News about cyber security and recent hacks on vehicles, medical devices and now a Verizon phone bill with a $117,000 charge. Sonatype CTO, Josh Corman, is interviewed on Fox Business News about cyber security and recent hacks on vehicles, medical devices and now a Verizon phone bill with a $117,000 charge. Read More

CNBC interviews Sonatype CTO, Josh Corman, about a suspected Russian attack on the Pentagon with a discussion about the broader implications of cyber security. CNBC interviews Sonatype CTO, Josh Corman, about a suspected Russian attack on the Pentagon with a discussion about the broader implications of cyber security. Read More

Unlike other industries that rely on supply from other organizations, software development has no clear way to understand when an open source or proprietary component 'part' is found to be defective. Unlike other industries that rely on supply from other organizations, software development has no clear way to understand when an open source or proprietary component 'part' is found to be defective. Read More

Programmers -- the people who create the software -- don't write all their code from scratch, instead borrowing freely from others' work. The problem: they're not vetting the code for security problems. Programmers -- the people who create the software -- don't write all their code from scratch, instead borrowing freely from others' work. The problem: they're not vetting the code for security problems. Read More

Many commercial software companies and enterprise in-house developers are churning out applications that are insecure by design due to the rapid and often uncontrolled use of open-source components. Many commercial software companies and enterprise in-house developers are churning out applications that are insecure by design due to the rapid and often uncontrolled use of open-source components. Read More

Applications are rarely built from scratch today, but rather tend to leverage myriad tools and libraries as organizations increasingly move to a rapid deployment DevOps style of IT. Applications are rarely built from scratch today, but rather tend to leverage myriad tools and libraries as organizations increasingly move to a rapid deployment DevOps style of IT. Read More

Software developers can learn a lot from the example of car manufacturing. Both stand to benefit from reducing the complexity in their supply chains and gaining more control over the parts they use. Software developers can learn a lot from the example of car manufacturing. Both stand to benefit from reducing the complexity in their supply chains and gaining more control over the parts they use. Read More

The data breaches disclosed earlier this month at Park ÔN Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it. The data breaches disclosed earlier this month at Park ÔN Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it. Read More

The Cyber Supply Chain and Transparency Act of 2014 requires any supplier of software to the federal government to identify which third-party and open source components are used and verify that they do not include known vulnerabilities for which a less vulnerable alternative is available. The Cyber Supply Chain and Transparency Act of 2014 requires any supplier of software to the federal government to identify which third-party and open source components are used and verify that they do not include known vulnerabilities for which a less vulnerable alternative is available. Read More